roles.rb in conjur-cli-6.0.0.rc1

- old
+ new

@@ -18,53 +18,20 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 
 class Conjur::Command::Roles < Conjur::Command
-  GRAPH_FORMATS = %w(json dot)
-
-
   desc "Manage roles"
   command :role do |role|
-
-    role.desc "Create a new role [DEPRECATED]"
-    role.arg_name "ROLE"
-    role.command :create do |c|
-      acting_as_option(c)
-      
-      c.desc "Output a JSON response with a single field, roleid"
-      c.switch "json"
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'ROLE')
-        role = api.role(id)
-
-        if ownerid = options.delete(:ownerid)
-          options[:acting_as] = ownerid
-        end
-
-        role.create(options)
-        if options[:json]
-          display({
-            roleid: role.roleid
-          })
-        else
-          puts "Created role #{role.roleid}"
-        end
-      end
-    end
-
     role.desc "Determines whether a role exists"
     role.arg_name "ROLE"
     role.command :exists do |c|
       c.desc "Output a JSON response with a single field, exists"
       c.switch "json"
       
       c.action do |global_options,options,args|
-        id = require_arg(args, 'ROLE')
+        id = full_role_id(require_arg(args, 'ROLE'))
         role = api.role(id)
         if options[:json]
           display({
             exists: role.exists?
           })
@@ -72,174 +39,37 @@
           puts role.exists?
         end
       end
     end
 
-    role.desc "Lists role memberships. The role membership list is recursively expanded by default."
+    role.desc "Lists role memberships. The role membership list is recursively expanded."
     role.arg_name "ROLE"
 
     role.command :memberships do |c|
-      c.desc "Verbose output. Only meaningful with --no-recursive."
-      c.switch [:V,:verbose]
-
-      c.desc "Whether to recursively expand role memberships"
-      c.default_value true
-      c.switch [:r, :recursive]
-
       c.desc "Whether to show system (internal) roles"
-      c.switch [:system]
+      c.switch [:s, :system]
 
-      command_option_kind c
-      command_options_for_search c
-
       c.action do |global_options,options,args|
         roleid = args.shift
-        assert_empty(args)
-        role = roleid.nil? && api.current_role || api.role(roleid)
-
-        opts = process_command_options_for_search(options)
-        opts[:recursive] = false unless options[:recursive]
-        memberships = role.all(opts)
-        display_members memberships, :role, options
+        role = roleid.nil? && api.current_role(Conjur.configuration.account) || api.role(full_role_id(roleid))
+        memberships = role.memberships.map(&:id)
+        unless options[:system]
+          memberships.reject!{|id| id =~ /^.+?:@/}
+        end
+        display memberships
       end
     end
 
     role.desc "Lists all direct members of the role. The membership list is not recursively expanded."
     role.arg_name "ROLE"
     role.command :members do |c|
       c.desc "Verbose output"
       c.switch [:V,:verbose]
 
-      c.desc "Whether to show system (internal) roles"
-      c.switch [:system]
-
-      command_option_kind c
-      command_options_for_search c
-
       c.action do |global_options,options,args|
         roleid = args.shift
-        assert_empty(args)
-        role = roleid.nil? && api.current_role || api.role(roleid)
-        opts = process_command_options_for_search(options)
-
-        members = role.members(opts)
-        display_members members, :member, options
-      end
-    end
-
-    role.desc "Grant a role to another role. You must have admin permission on the granting role. [DEPRECATED]"
-    role.arg_name "ROLE-1 ROLE-2"
-    role.command :grant_to do |c|
-      c.desc "Whether to grant with admin option"
-      c.switch [:a,:admin]
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'ROLE-1')
-        member = require_arg(args, 'ROLE-2')
-        role = api.role(id)
-        grant_options = {}
-        grant_options[:admin_option] = true if options[:admin]
-        role.grant_to member, grant_options
-        puts "Role granted"
-      end
-    end
-
-
-    role.desc "Revoke a role from another role. You must have admin permission on the revoking role. [DEPRECATED]"
-    role.arg_name "ROLE-1 ROLE-2"
-    role.command :revoke_from do |c|
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'ROLE-1')
-        member = require_arg(args, 'ROLE-2')
-        role = api.role(id)
-        role.revoke_from member
-        puts "Role revoked"
-      end
-    end
-
-
-    role.long_desc <<-EOD
-Retrieves a digraph representing the role members and memberships of one or more roles.
-
-The --[no-]ancestors and --[no-descendants] determine whether the graph should include ancestors, descendants, or both.  Both
-are included in the graph by default.
-
-The --acting-as flag specifies, as usual, a role as which to perform the action.  The default is the role of the currently
-authenticated user.  Only roles visible to this role will be included in the resulting graph.
-
-The output is always written to the standard output, and can be one of the following forms (specified with the --format flag):
-
-   * png: use the 'dot' command to generate a png image representing the graph.
-
-   * dot: produce a file in a suitable format for use with the 'dot' program.
-
-   * json [default]: output a JSON representation of the graph.
-
-In order to generate png images, the 'dot' program must be present and on your path.  This program is usually installed
-as part of the 'graphviz' package, and is available via apt-get on debian like systems and homebrew on OSX.
-
-The JSON format is determined by the presence of the --short flag.  If the --short flag is present, the JSON will be an array of
-edges, with each edge represented as an array:
-
-  [
-    [ 'parent1', 'child1' ],
-    [ 'parent2', 'child2'],
-    ...
-  ]
-
-If the --short flag is not present, the JSON output will be more verbose:
-
-  {
-    "graph": [
-      {
-        "parent": "parent1",
-        "child":  "child1"
-      },
-      ...
-    ]
-  }
-EOD
-    
-    role.desc "Describe role memberships as a digraph"
-    role.arg_name "ROLE", :multiple
-    role.command :graph do |c|
-      c.desc "Output formats [#{GRAPH_FORMATS}]"
-      c.flag [:f,:format], default_value: 'json', must_match: GRAPH_FORMATS
-
-      c.desc "Use a more compact JSON format"
-      c.switch [:s, :short]
-
-      c.desc "Whether to show ancestors"
-      c.switch [:a, :ancestors], default_value: true
-
-      c.desc "Whether to show descendants"
-      c.switch [:d, :descendants], default_value: true
-
-      acting_as_option(c)
-
-      c.action do |_, options, args|
-        format = options[:format].downcase.to_sym
-        if options[:short] and format != :json
-          $stderr.puts "WARNING: the --short option is meaningless when --format is not json"
-        end
-
-        params = options.slice(:ancestors, :descendants)
-        params[:as_role] = options[:acting_as] if options.member?(:acting_as)
-
-        graph = api.role_graph(args, params)
-
-        output = case format
-          when :json then graph.to_json(options[:short]) + "\n"
-          when :dot then graph.to_dot + "\n"
-          else raise "Unsupported format: #{format}" # not strictly necessary, because GLI must_match checks it,
-                                                     # but might as well?
-        end
-
-        $stdout.write output
+        role = roleid.nil? && api.current_role(Conjur.configuration.account) || api.role(full_role_id(roleid))
+        display_members role.members, options
       end
     end
   end
 end